Posted
by
timothy
on Wednesday January 15, 2003 @08:29PM
from the but-sircam-does-this-for-me-already dept.

linuxwrangler writes "One hopes the /. crowd knows the perils of discarding storage with sensitive data but this article drives home the point. Two MIT grad students bought used drives from eBay and secondhand computer stores. Among the data found on the 158 drives were 5,000 credit-card numbers, porn, love-letters and medical information."

It's one thing to make sure you securely wipe any drive of your own you get rid of, but you can't do anything about old drives or paper files that a company or hospital might discard containing sensitive info about you.

Occasionally there are new reports about someone finding a stack of files by a dumpster containing sensitive medical or financial information about a lot of people. The same surely holds true for old drives or computers disposed of by careless companies.

Picked 6 or 7 old 4gig HDDs from my father's company a few years ago, found their company credit line information, personal (and some very erotic) email, and a surprisingly large collection of nudie photoshopped Gillian Anderson photos. Oh yeah, and like 100 different (and I must say, very well-done) quake2 "crackwhore" models and skins lol. I love the people who don't clear their HDDs, it's like treasure chests, you never know what you're gonna get.

Thats not so bad. My dad happens to be a garbage man and often brings along an occasional system he's scavanged from the dumpsters along his route. Currently I have in my possession an old IBM Aptiva with some guys bank account information on it (He did his checking and stuff with it apparently), but worst of all I have what appears to be an old Gateway tower used to store Medical information for a major hospital in the area my father works. I have over 2 gigs of peoples medical history, including what they were put in the hospital for, insurance information, release dates ect.

I should really do the honost thing and reformat it but its always fun to flip the thing on and just page through stuff.

bought 158 used hard drives at secondhand computer stores and on eBay. Of the 129 drives that functioned

Everyone knows that HD's contain data.. I would be more impressed if they broke down the numbers of where the BAD drives came from. That would make a much more informative story. I've bought as-is before in person but never online.

That was the Policy at the IBM facility I worked at in the early 90's. I tossed piles of computers into this big ugly compacting trailor once that was done with it I doubt you could recover anything. Funny thing about that is employies took piles of "compacted" parts home with them well I guess if they wanted the data in the first place they could have gotten it anyway in building security was light network wise untill you hit big iron.

Anyone happen to know any share/freeware programs out there for Windows 2k that will recover deleted files. I am intrested in running it on my computer to actually see what I can recover and see how well PGP's disk wipe function works.

Why not remove the hard drive and donate the computer to a local school. Even at a couple of years old the computer is still useful for students and the school would be more than happy to pick up a new hard drive for it.

We go through a large # of computers a year, and I try to donate the carcass, or at least make sure it's recycled properly. (Charitable organizations, unless specially equipped to handle PCs, are wary of junk computer donations.)

However, I *always* remove the hard disk drive, disassemble it, and give it the sledge hammer treatment. I just don't have the time to get them running again, and write the erase patterns to every track and sector.

Maybe if there's ever a good, transparent, drive-level PGP available, I'll rethink this strategy, but until then, I put on the safety glasses and hammer away, after opening the drive case to expose the platters.

Here's a sugesstion to drive manufacturers--make a convention where if certain pins on the IDE connector are jumpered together, and the drive powered up, it will do a low-level format automatically. Then I might choose to erase the disks, so long as I didn't have to hook them up to a computer and run a program.

Roughly speaking that'll do it. I'm sure there's nice trickery you can do to, say, get the equivalent of/dev/true (opposite of/dev/zero) and get the size from the file, etc. etc. Note the sync's so it actually hits disc rather than buffer. Technically there should be a sleep or two in there in case of a journalled filesystem....

A few years back I found some backup cartridge tapes (the big 4x6 kind) and a couple of tape drives at a Goodwill store. While there wasn't anything particularly useful on it, I could tell that it was the shell account machine used by half a dozen or so Ingres developers.

No database code or data, just typical home directories and stuff. And they were running SCO, but boot blocks and stuff don't generally get written to tapes, so no chance of warezzing from it.

I also snag SCSI hard drives and SyQuest cartridges when they show up for five bucks or less at thrift stores, since most of that is Mac stuff and I'm a Mac-head.

Once I got a 6100 at a thrift store. I presume the owner stopped using it when the PRAM battery died. (When a 6100's PRAM battery dies, the video settings go with it, and unless you're using a fixed-frequency monitor, you get no video unless you hold down command-option-P-R. Looks like real bad a hardware problem when it's just the battery.) I could tell it was used by some college guy, studying to be a lawyer, I think.

"Thrift store hard drives are like a box of chocolates... you never know what you'll find!"

Speaking of this, whatever happened to the BIOS lowlevel format option? My old Laser 386 allowed you to lowlevel format any of the harddrives through CMOS setup... it would seem like that's a pretty simple feature to add, and plenty useful.

If I remember right, the DoD standard was to erase the file by writing random bits over it 7 times....although that was before some researchers found that you could still read the original data if you had a scanning electron microscope.

So even if I take all the steps necessary to make sure my data is safe on my computer, odds there is a business throwing away hardrives that have my data on them without properly removing all the data? Wow, I can't believe this isn't a hotter topic. I also wonder how this affects certain websites privacy statements. Sure, they don't give your information away intentionally, but they may give away a harddrive full of personal data without even realizing it.

Costly? Get two similar HD and swap the PCB. Chances are decent that only the PCB was dead, there ya go all the data and no need to load up some forensic software to read the deleted data since the drive is assumed "dead".

Yes, I have done this and recovered valuable information. Of course, Both drives where mine anyway, but still.

Now for or something really scary.I run a computer shop in the southeastern United States, much of my work involves the local school systems. Several years ago (Long before 9-11) a local school received a donation of several pallets of computers, monitors, printers, and other equipment from a local military installation. The donation was properly processed through the Defense Reutilization and Marketing Service (DRMS) and should have been cleared of any sensitive materiel.I was contracted by the school to take the entire load and build as many working systems as I could out of the parts. As I begin to put systems together and power them up I was staggered by the fact that at least half of the hard drives were FULLY intact and no attempt at all had been made to remove sensitive data.I of course had to take a closer look. Much of the data concerned simple day to day non-sensitive routine base operations (I am x-military so much of it was familiar to me). HOWEVER on one of the intact drives I found something that KNOCKED MY SOCKS OFF! Setting there on that hard drive spinning on my work bench was pile of data concerning the moving of NUCLEAR weapons and other nuclear materials and conventional weapons around the United States. The data contained information such as routes, schedules, manifests, and duty rosters. I WAS DUMBSTRUCK. How could this have happened? This drive should never have left a controlled area, EVER, it should have been destroyed. This was inexcusable! Of course in a situation such as this all manner of thoughts go though your head. Thoughts such as; What kind of damage could a enemy of the U.S. do with this data. What would this data be worth to someone unethically inclined. If they knew I saw this data they would probably lock me up and throw away the key just for good measure, and of course WHAT SHOULD I DO WITH THIS DATA? In the end I destroyed the hard drive and the data it contained and kept my mouth shut. That has been at least 8 or 9 years ago and until this day I have never told anyone and thank God that due to the passage of time I have forgotten most of the particulars of the data I saw.

At a former employer who will remain nameless they had secure areas. To get in you needed a clearance and if you didn't have a full government clearance all of the people in there would power off their boxes until you left. You were also constantly watched and doing sysadmin stuff in there was an adventure because they could do whatever they wanted since they weren't hooked up to the regular network.

When they moved some of these labs all of the equipment was shrinkwrapped and escorted to the new location to prevent tampering while in transit.

I think I had something to say. Oh yeah. Ok, when hard drives and backup tapes got old they had to format them X number of times (I forgot the exact number), then physically smash them and then burn the remains. All in a secure manner (ie: not taking them to the local Springfile Tire Fire).

Anywho, a friend of mine had to replace RAM from one of their Suns, and I went with him. They let us leave with the RAM and didn't think twice about it. 2 or 3 minutes after we left my friend realized he may be able to take the RAM and actually read the data off of it somehow, assuming it was still saved.

Perhaps this could be applied to other things including external processor caches and VRAM as well.

There doesn't seem to be much point in overwriting more than once with the same zero pattern (the article makes this mistake too, though the original authors probably don't). There are really two levels of sophistication we're hoping to elude here:

a) People using the drive's own interface to retrieve "deleted" data
b) People doing direct signal analysis of the magnetic media to find successive generations of overwritten data

Once you've overwritten the disk once (whether with dd, a real SCSI low-level format, or some other means), you're in regime (b). Assuming you're paranoid and/or justifiably concerned enough to bother with repeated writes, using the same bit pattern does little - and zeroing is especially non-optimal, from what I've read. Random bit patterns seem a likely candidate, but randomness is actually particularly easy to divine in a signal.

People have experimented with instead writing various repetitions of constant strings with good success, but what might be ideal is a chaotic pattern that approximates the look of the expected data without divulging anything real (interesting thought - perhaps this is what some of the porn they found was for!). Write that a few times and you have a honeypot that might mislead a naive investigator into thinking there's nothing more to be found - but even this is difficult because the "freshness" of the bit patterns can be determined by their relative signal strength, and you can't simulate age using the default write current no matter how many new patterns you lay on. You can only hope you've made the old, real data so faint that it disappears into the background noise. Since there's no real way to guarantee this, people with real secrets to hide have to physically destroy the media. So much for reduce, reuse, recycle.;)

The technique of extracting the data is akin to the work of deep-sky astronomers, military listening posts, or even sedimentary archaeology. It's quite an interesting problem, as is making the data unrecognisable. The parallel with copy-protection is obvious, and the outcome is the same - an escalating war of technique between intrigued hackers, where the party acting later in time (the deprotector / signal analyst) always has an advantage.

As an aside, when using dd to copy large amounts of data to disk you can often speed things up immensely by tailoring the (output) block size to the destination device.

I remember working on my very first IBM pc. My girlfriend's mother was dating a guy and he gave her an old 8086 computer (this was back in '94 or thereabouts). Well, I started playing with the computer. He had an early version of Norton Utilities on it. I played with the undelete file utility and found that there were lots of deleted files. I recovered some of them and started to read them. Most were boring. One wasn't

This guy wrote about my g/f's mom about how he was banging her for the last 15 years. She had only been widowed for 10 years. He also complained about how she only came around when she needed money and how he was tired of banging her wrinkly ass.

Also, this guy was a principal at an elementary school. He was apparently fucking several women at the school, even getting blowjobs at work!

I was simply amazed. My g/f didn't even really know that this guy was dating her mom (some women are so stupid). She just thought he was a family friend. I couldn't tell her about what I found because I knew she would have been really upset.

I learned from that day on that simply deleting a file was not going to hide anything. I'm actually holding onto a defective laptop thathas been broken for months. I don't want to toss it out until I can either recover the harddrive data myself or until I can safely dispose of the harddrive.

Last year, my employer of 12 years went out of business. The company was secretly being run improperly for quite a while and the owner closed the doors the same day he found out about the mismanagement.

Being the IT director, I helped the owner, my friend, with the office computers. I planned on wiping all the hard drives and I informed the owner of my plan. He agreed that it was a good idea.

From the next three months, watching the bankruptcy process unfold, I got questioned left and right as to why I wiped the data. The accountants wanted to know why...the lawyers wanted to know why...the liquidators wanted to know why...the court wanted to know why. I understand that a system with an installed OS is more valuable than one that has been wiped clean(the data had been backed up so there was no question of whether data had been destroyed) but this should not be unusual. Nobody asking me these questions were newbies--their jobs involved dealing with bankrupt companies and it was as if they had never seen this before!

There was a quote somewhere saying that a heap of data could be recovered from even a square millimetre of hard disk platter.

So let's have a think about the maths. I don't know what the physical interior of a hard disk is like, but the exterior is in the vicinity of 10cm (4in) across. If the platter were square, that'd be 100*100 square millimetres. (It'd be round, so the actual number would be about 25% smaller.) Suppose we were talking about a 40gig disk. That's 4 meg per square millimeter.

Now if hard disks were made up of lots of layers, say 1000 of them, that's still 4K per square millimeter per layer, and you've got one hell of a pulverising job ahead of you!

There's good reason why high-security areas go through their elaborate sequences of electronic shredding (multiple data overwrites), physical shredding (makes the hammer look weak) and thermodynamic shredding (I daresay *someone* can get data off a hard-disk after you've treated it with thermite!)

I used to work for the Queensland Police's IT department. We had to take used HDD to the dump personally and arrange for one of the bulldozers to crash them. Basically anything that had a memory chip had to be physically destroyed, old ram, old NICs, everything.

Burn the ISO, boot to the CD, then wait a *really* fucking long time for it to scamblefuck the drive. (You can also use a floppy disk...but nowawayd why use something that a magnet could possibly fuck?)

(I have no idea whether or not this is military-grade. Can anyone comment? And if not, provide something *better*?)

It literally removes the magnetic code/signatures from the HDD. I used to work at a data recovery shop (yes one with static room where we physically remove the data etc...) and even we couldn't recover anything off a HDD that has been passed through one...

The only bummer is they draw lots of amperage on a 220... (meaning they literally dim the lights even on my very well powered home...)

The NSA/DOD/Whatever probably uses these when they erase a HDD for redistro/etc...

Assuming a DNA sample is not old or degraded too much you can tell between identical twins. Twins have the same genes but not the same DNA. Same thing with clones. A clone would not be exactly the same... there are many ways to tell the differance between the two.

My wifes company - health care company - gave away the old office computers a few years ago. With out wiping the hard disks. We got two computers - both the co-owners with all of the memos intact. It made for some interesting reading - filling in those awkward questions about people who didn't come to the company picknick.

Say you are working on an uber secret project (or miltary plans or viewing gay pr0n) and the "men in black" come running in your house. Assuming you are more than 5 seconds away from being on the floor with a knee on your neck, how would you keep intruders from getting your data? (Or looking at what you were viewing, you sick freak)

Some sort of explosive device on a trigger next to your mouse?
A shotgun blast? (Hoping you hit the drives and don't get shot...)
Fast acting fantasy software to write random data 144 times over the disk in mere milliseconds?

I like the stack of lost floppy disks sitting in the campus lab. One day I started looking through them.

On the third disk I noticed a file named "Moms Credit Card". We can all guess what the file contained.

Fortunately for that poor student, I'm a nice guy and I wiped the disk so that the information wouldn't be abused. However, the next disk contained Frat Party planning meeting minutes that were quite entertaining. (Someone was violating campus alcohol rules.)

Anyway, I stopped looking after the 5th disk, and there were over 500 lost disks in that lab. All of the disks were found withing the last 4 months. If you want to get dirt to use on people, visit a college lab, shuffle through the lost disks, hold onto the information for a few years and then see how much that lost disk is worth to them.

If you have a HD that has sectors that go bad, many HDs (or operating systems) will mark the block as bad and off-limits so it doesn't get used any more.

This of course poses a problem with most "erase" type programs, as there may not be a way that the eraser can override either the operating system "bad block" mark, or the drive's "bad block" internal mapping.

If something critical happens to be in a block marked bad on the HD, there may not be any way to securely erase it 100% via software and you'd need to destroy it physically.

Data from a hard disk that as been
wiped multiple times can be recovered.

Data left in SRAM and DRAM for a long
period of time can be recovered even
though the system has been powered off
for a while and the SRAM has been cleared.

While it is hard to recover wiped and
old data, it is not impossible.

First, a little background:

I belong to a group that polls/tracks certain
elections around the world.
In one recent election, there were a number
of claims of voting irregularities.
Our group became part of a post-election
analysis team to look into these irregularities.

We were able to determine that one desktop
system in particular contained some critical
raw voting data (raw precinct counts of
per ballot slot data).
The election officials were more than
reluctant to give us a copy of that raw data.
By the time we were granted a order requiring
the election officials to let us access the
data, someone had attempted to
throughly wipe
the desktop system of all traces of data.

We thought we had lost that critical data.
But thanks to a chain of contacts we
were referred to a
consultant that specializes in
extremely difficult data recovery.
After checking some references (and
obtaining more money from OUR client:
the consultant was VERY expensive),
we hired this consultant.

Much to the surprise of the election officials
we obtained an order that allowed us to
physically take possession of the system.
The system was turned over to the
consultant who recovered
enough critical election
data for our needs.

The recovery included data from the wiped
system hard drive as well as from
SRAM and DRAM.

Regarding disk recovery:

The disk drive had been wiped by a utility
that, we presume, had been run from a CDROM.
The wipe tool wrote over the entire disk
35 times, 8 of them were random and
27 of them were fixed patterns of 3 bytes
each.

Not all disk data was recovered.
Part of the reason was that the data recovery
method was not 100% perfect.
Part of the reason that some data was
not recovered was a simple matter of time.
(The consultant was in between two already
committed
projects and only had a limited amount of
time to work for us.)

The
consultant did recover some deleted files
that were
critical to our work.
Not everything was recovered, however.
Parts of the
swap/VM-paging area that might have contained
some useful data were not recovered.
Also some disk data critical to file and
directory layout was not recovered making
recovery of parts of the file system
layout difficult
to map.

Still,
some important files (a spreadsheet,
simple database file,
browser cache, some EMail, etc.) were recovered
even though the drive had been wiped
35 times!

There are methods that can recover RAM data.
Both SRAM and DRAM can be recovered.

According to the consultant,
the storage of the same data in SRAM over a
long period of time has the effect of altering
the preferred power-up state.
They said that SRAM can ''remember''
data for days after it held it for a
long period of time.
This memory can be determined by a
''partial powerup'' (I presume
they mean a lower than normal voltage?)
and then going ''full on'' and
reading the initial values of memory.

In the case described above, the SRAM had been
deliberately
cleared prior to our group taking possession
of the system.
The consultant was able to recover the
original data even though the SRAM had
been cleared and the system has been
powered off for more than a day.
A simple clearing of memory was not
enough to wipe out the long held
memory effect.

Regarding DRAM recovery:

DRAM data was also recovered.
Data left in DRAM for a long period of time
can leave an ''impression'' thru a
process somewhat different from SRAM.

As explained by the consultant:
With DRAM, recovery comes not from detecting
any left over charge, but rather detecting
the stress (or lack of stress) from the thin
oxide of the cells storage capacitor dielectric.
The effect of this stress can be measured by
using the DRAM self-test feature.
In self-test mode, a small voltage is applied
to a cell in order to measure its margin
for error.
The self-test margin is increased or
decreased by the amount of oxide stress.

Not all of the DRAM memory was recovered.
However certain critical portions of the
DRAM held values for long enough period of
time that data was recovered, even though
the system has been powered off for more than
a day.
Data recovered included memory associated
with a browser and a spreadsheet.
Even though both the browser and the
spreadsheet were closed prior to the
system being wiped, they were left
running long enough to leave behind
their DRAM oxide stress.

Based in part
on the recovered data, we concluded that
candidate A was declared the winner
due to a ''mistake''
in mapping ballot slot numbers to candidates.
In some cases the slots for candidate A
and B were reversed.

An incorrect vote count
was reported by the election officials.
It is our guess that when we came around
asking for the raw data, someone began to collect it.
At some point some official(s) discovered
the blunder.
The system was left on
while they stalled for time.
When it was clear that we were going to force
them to turn over the data someone wiped
the system and shut it down.

BTW: The majority of the election officials
involved were supporters of candidate B.
Even though their blunder caused them to
declare candidate A the winner, they still
tried to coverup their mistake.

Our conclusion was that the attempt to
coverup the mistake was motivated by
not wanting to admit the major blunder
instead of because of candidate A's influence.
This conclusion was reached in part because
of messages that we recovered on another
system that was not wiped.
However we would have never been able to
find that other system, nor would we have
been able to match the raw slot numbers
with the reported vote counts by candidate
name without the help of the data
recovery consultant and the critical data
that they recovered.

I'll offer a few observations:

Volatile data such as SRAM and DRAM
is not as volatile as you might think.

With enough will, skill and effort,
old data can be recovered from a disk
that has been overwritten multiple times.

Packages such as PGP file wipe,
GNU shred or
Boot
and Nuke [sourceforge.net]
are likely to only
make it harder, but not impossible to
recover the data.

To quote from a paper by
Peter Gutmann:

''

Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media), or that the recovery attempt is carried out fairly soon after the new data was written (for RAM). For this reason it is effectively impossible to sanitise storage locations by simple (sic) overwriting them, no matter how many overwrite passes are made or what data patterns are written.''

And even though in that paper next says:

''

However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive.''

For our consultant, the
recovery process was hard but not
extremely difficult.
It was expensive for us, however.:-(
But we were happy to pay to have it done.:-)

Whoever wrote the 35-pass disk wipe tool
must have read that paper, or one similar
to it because the overwrite patterns
looked similar to the recommended list.

I bought a refurbished power mac not so long ago and it appeared to come from united airlines and did contain quite an amount of serious sensitive data. Reports/emails about illness of an employee, financial stuff, flight planning etc.

It was right there, no attempt had been made to delete it at all. Sigh.

My company bought a new hard drive once from a large retailer. It had a conspicuous scratch on it so we checked out the contents before overwriting, thinking it might not be all that new. We found some rather personal stuff there. Pictures of baby taking a bath with dad and so forth. I can understand regular people not thinking of wiping a drive before returning it (and perhaps being unable to, if it's not functioning quite right or the box won't even boot), but if you're going to sell a refurbished drive at the price of a new one, better wipe that sucker good. Then there's the more serious issue of them handing their customer's private data over to another customer.

Another interesting case came up when my company was in its death throes and was firing people left and right. When the admin was backing up the content of their hard drives prior to wiping, a lot of interesting non-work-related stuff cropped up. I'm not talking about a little gay porn. One guy had dozens of documents related to different couples' divorce proceedings! Ouch;)

The real lesson here is that the people you sometimes have to entrust your data to can't necessarily be trusted.

One thing to consider is turning your system in for repairs. I used to own an Apple G4 Cube and when I sent it in for repair, Apple decided simply to send me a new one. While I didn't have anything on the hard drive except some MP3s and Email, who knows where that disk is now and who has it? It is something to think about if you have your computer serviced.

After reading all the posts of this topic, I have concluded that physical destruction is the best way to go. Although I have no doubt that a program designed to securely erase the hard disk would be effective enough for me, my hard disks are simply too big for this approach. Who wants to wait on 7 or more passes on a 120GB hard disk?

And then you got Guttman deletion, which uses 35 passes, each of which, when combined together, basically flips the bits so much that the data is really unrecoverable. It's even designed to get around caching and the various encoding standards for hard drives.

I'd like to see IDE hard drives that encrypt every sector -- but done in the drive's electronics.

Before the drive can be used, the mainboard (bios?) must first issue an ide command to set the key that the drive used for reading/writing each sector.

WIth a properly configured bios, the bios could ask you for the key during power on self test.

You run your computer off a UPS. If the bad guys are going to serve a warrant, raid you and steal your gear, they might first cut the power to prevent you from inserting a linux "reformt-the-drive" floppy and punching reset. The UPS helps against this.

But even if you can't get the drive reformatted, and the bad guys attach your drive to one of those drive copying gizmos to collect evidence, all they get is encrypted blocks. Or better, if the drive electronics detects an attempt to do this, massive sequential copying of blocks, but without first having issued the decryption key command, then the drive electronics could simultaneously return random bytes to through the ide interface to the copying gizmo while actually overwriting the corresponding sector on the drive with different random data.

Another way to look at this from the point of view of the drive electronics is that if the drive is powered up, and very much access is attempted without the decryption key command, then the drive can assume that it is NOT physically in the good guy's computer where it belongs.

While the technique described here is also good to prevent data mining of your hard drive, it is most useful in preventing data mining by the bad guys who might steal your drive for evidence.

Years ago I bought a CP/M system complete with a 30MB 14" hard disc at a computer show consignment table. I couldn't get it to boot up but I was able to poke around on the disc by writing and reading directly to the controller. I discovered some erased files and one was the previous owner's resume, a developer for Pickles and Trout. So....I called him up and he helped me get it working. He was suprised I found his deleted resume and I assured him I'd wipe it as soon as I got it working. That drive also had the source to most of their CP/M development. It made for some fun reading, pre-DMCA, of course.